Overview

overview

7

Static

static

1

e5d0baf394...95.exe

windows7-x64

7

e5d0baf394...95.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    135s
  • max time network
    154s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    03-10-2022 11:48

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    e5d0baf3949f0d40395bdc947fc1e633fad3d73a6bdf8f384e0fd91bd4e82795.exe

  • Size

    281KB

  • MD5

    4885173ebfa2267b9906d45bc6a2d2e0

  • SHA1

    38687ac8894e2401315c6626ec57a3d0fcae8b9e

  • SHA256

    e5d0baf3949f0d40395bdc947fc1e633fad3d73a6bdf8f384e0fd91bd4e82795

  • SHA512

    e398c05009f16e66a6425f924e5b82dd2f3e31be44fe2564b444ff3f8e8f65bb567a458d759df57bb91e373449b6ae6a2adf841ee33918218d9d7505cb6cd5cf

  • SSDEEP

    6144:Te34l9w0oHtBuAbJ8zk2OXp8TqPcv8h4SKEumqQI:0HSjzxgpiqP1/KEnqQI

Score
7/10
bootkitdiscoverypersistence

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Loads dropped DLL 6 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

    Bootkits write to the MBR to gain persistence at a level below the operating system.

    bootkitpersistence
  • Drops file in Program Files directory 6 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies Internet Explorer settings 1 TTPs 1 IoCs
    adwarespyware
  • Modifies Internet Explorer start page 1 TTPs 1 IoCs
    stealer
  • Modifies registry class 5 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\e5d0baf3949f0d40395bdc947fc1e633fad3d73a6bdf8f384e0fd91bd4e82795.exe
    "C:\Users\Admin\AppData\Local\Temp\e5d0baf3949f0d40395bdc947fc1e633fad3d73a6bdf8f384e0fd91bd4e82795.exe"
    1⤵
    • Checks computer location settings
    • Loads dropped DLL
    • Adds Run key to start application
    • Writes to the Master Boot Record (MBR)
    • Drops file in Program Files directory
    • Suspicious use of WriteProcessMemory
    PID:4116
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\shandian\home.bat" "
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:344
      • C:\Windows\SysWOW64\reg.exe
        reg add "HKCR\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\shell\OpenHomePage\Command" /v "" /t reg_expand_sz /d "C:\Program Files\Internet Explorer\iexplore.exe http://www.jlbnh.com/?tn 4" /f
        3⤵
        • Modifies registry class
        PID:1060
      • C:\Windows\SysWOW64\reg.exe
        reg add "HKCU\SOFTWARE\Policies\Microsoft\Internet Explorer\Main" /v "Start Page" /d "http://www.jlbnh.com/?tn 4" /f
        3⤵
          PID:2636
        • C:\Windows\SysWOW64\reg.exe
          reg add "HKCU\SOFTWARE\Microsoft\Internet Explorer\Main" /v "Start Page" /d "http://www.jlbnh.com/?tn 4" /f
          3⤵
          • Modifies Internet Explorer settings
          • Modifies Internet Explorer start page
          PID:1672

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Initial Access

    Execution

    Persistence

    Registry Run Keys / Startup Folder

    1
    T1060

    Bootkit

    1
    T1067

    Privilege Escalation

    Defense Evasion

    Modify Registry

    3
    T1112

    Credential Access

    Discovery

    Query Registry

    2
    T1012

    System Information Discovery

    2
    T1082

    Lateral Movement

    Collection

    Exfiltration

    Command and Control

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Program Files (x86)\shandian\home.bat
      Filesize

      703B

      MD5

      9b86748bf8bcfc00712942d6285d49a2

      SHA1

      06a20159bdb81e5501e7c65f2e8c75b142916090

      SHA256

      07943cb2547088ed5ce1b349010d47f6b98b0a52e2aa9de6ae8fee98929b2753

      SHA512

      34d3f5a659a69bfdc4b6df04c09a14d70b3342ab3023aebc8d5b67aa389b47ea01bafab569da3ba396e09d9a08e5a1bc66611e13b0c329e7bb6fa96c0ae643a9

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\nsv717C.tmp\Md5dll.dll
      Filesize

      8KB

      MD5

      a7d710e78711d5ab90e4792763241754

      SHA1

      f31cecd926c5d497aba163a17b75975ec34beb13

      SHA256

      9b05dd603f13c196f3f21c43f48834208fed2294f7090fcd1334931014611fb2

      SHA512

      f0ca2d6f9a8aeac84ef8b051154a041adffc46e3e9aced142e9c7bf5f7272b047e1db421d38cb2d9182d7442bee3dd806618b019ec042a23ae0e71671d2943c0

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\nsv717C.tmp\Md5dll.dll
      Filesize

      8KB

      MD5

      a7d710e78711d5ab90e4792763241754

      SHA1

      f31cecd926c5d497aba163a17b75975ec34beb13

      SHA256

      9b05dd603f13c196f3f21c43f48834208fed2294f7090fcd1334931014611fb2

      SHA512

      f0ca2d6f9a8aeac84ef8b051154a041adffc46e3e9aced142e9c7bf5f7272b047e1db421d38cb2d9182d7442bee3dd806618b019ec042a23ae0e71671d2943c0

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\nsv717C.tmp\System.dll
      Filesize

      11KB

      MD5

      00a0194c20ee912257df53bfe258ee4a

      SHA1

      d7b4e319bc5119024690dc8230b9cc919b1b86b2

      SHA256

      dc4da2ccadb11099076926b02764b2b44ad8f97cd32337421a4cc21a3f5448f3

      SHA512

      3b38a2c17996c3b77ebf7b858a6c37415615e756792132878d8eddbd13cb06710b7da0e8b58104768f8e475fc93e8b44b3b1ab6f70ddf52edee111aaf5ef5667

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\nsv717C.tmp\bind.dll
      Filesize

      71KB

      MD5

      e2b78c96162ad8c36a623e6a4ba1c216

      SHA1

      768b7bd184f2424099b964b2c9b68ef7fc8792dd

      SHA256

      ac615795d598b1c07aecd00e877c89abf71caa4d7d479cfab2d847f238f599cf

      SHA512

      f1d4cc27d44ecc7c5ef178972504637f42326e573a58fac2d918160a267e51b6123d627f324ce952e748242f5b13e4760089fc16d221229a93854124aa405fac

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\nsv717C.tmp\xID.dll
      Filesize

      9KB

      MD5

      3a5ed71aa9c6846d95d57235c4c443d7

      SHA1

      08156d29bed654f8f8d7f46ddbce84d22d4710cf

      SHA256

      5e3fa4d610cb2d80ed9991cb2562bd70c5b4d49dbcf4e42a1017c59eedbe28a4

      SHA512

      5cdb5059020c20a83f230ae2d75bfb6fd69a03418ba6407336db9f0c653fea1e8f4a51400812da81a8bde2f6e4d95fd80e29eb462e818ddbd881789c00d5d1d1

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\nsv717C.tmp\xID.dll
      Filesize

      9KB

      MD5

      3a5ed71aa9c6846d95d57235c4c443d7

      SHA1

      08156d29bed654f8f8d7f46ddbce84d22d4710cf

      SHA256

      5e3fa4d610cb2d80ed9991cb2562bd70c5b4d49dbcf4e42a1017c59eedbe28a4

      SHA512

      5cdb5059020c20a83f230ae2d75bfb6fd69a03418ba6407336db9f0c653fea1e8f4a51400812da81a8bde2f6e4d95fd80e29eb462e818ddbd881789c00d5d1d1

      Download Submit
    • memory/344-138-0x0000000000000000-mapping.dmp
      Download
    • memory/1060-140-0x0000000000000000-mapping.dmp
      Download
    • memory/1672-142-0x0000000000000000-mapping.dmp
      Download
    • memory/2636-141-0x0000000000000000-mapping.dmp
      Download